Bug 468331 - "service netfs restart" causes errors and denials when "/etc/fstab" has context mounts
"service netfs restart" causes errors and denials when "/etc/fstab" has conte...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-24 02:53 EDT by Murray McAllister
Modified: 2015-01-04 17:35 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-24 08:42:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tests and denials (5.74 KB, text/plain)
2008-10-24 02:53 EDT, Murray McAllister
no flags Details

  None (edit)
Description Murray McAllister 2008-10-24 02:53:35 EDT
Created attachment 321374 [details]
tests and denials

Description of problem:
The "service netfs restart" command fails if "/etc/fstab" has context mounts. Context mounts specified in "/etc/fstab" fail to mount.

Version-Release number of selected component (if applicable):
initscripts-8.84-1.i386

rpcbind-0.1.6-2.fc10.i386
nfs-utils-lib-1.1.4-1.fc10.i386
nfs-utils-1.1.4-1.fc10.i386

policycoreutils-2.0.57-4.fc10.i386
libselinux-python-2.0.73-1.fc10.i386
libselinux-2.0.73-1.fc10.i386
libselinux-utils-2.0.73-1.fc10.i386
selinux-policy-targeted-3.5.13-4.fc10.noarch
selinux-policy-3.5.13-4.fc10.noarch

How reproducible:
Always.

Steps to Reproduce:
1. See attached.
  
Actual results:
# service netfs restart
Mounting NFS filesystems:  mount.nfs: access denied by server while mounting localhost:/export/web
mount.nfs: access denied by server while mounting localhost:/export/database

Denials logged to /var/log/messages:

setroubleshoot: SELinux is preventing mount.nfs (mount_t) "relabelfrom" httpd_sys_content_t. For complete SELinux messages. run sealert -l 178f3a75-e83c-4ead-b57d-38efe1f49db5

setroubleshoot: SELinux is preventing mount.nfs (mount_t) "relabelfrom" mysqld_db_t. For complete SELinux messages. run sealert -l 667d2aec-83ad-4af5-b858-4d46ecc96e8a

Expected results:
No errors and file systems mount.

Additional info:
Works as expected on:

Red Hat Enterprise Linux Client release 5.2 (Tikanga)

initscripts-8.45.19.1.EL-1

portmap-4.0-65.2.2.1
nfs-utils-lib-1.0.8-7.2.z2
nfs-utils-1.0.9-35z.el5_2

policycoreutils-1.33.12-14.el5
libselinux-devel-1.33.4-5.el5
libselinux-python-1.33.4-5.el5
libselinux-1.33.4-5.el5
selinux-policy-targeted-2.4.6-137.1.el5_2
selinux-policy-2.4.6-137.1.el5_2

audit2allow suggested:

module testpolicy 1.0;

require {
        type mysqld_db_t;
        type httpd_sys_content_t;
        type mount_t;
        class filesystem relabelfrom;
}

#============= mount_t ==============
allow mount_t httpd_sys_content_t:filesystem relabelfrom;
allow mount_t mysqld_db_t:filesystem relabelfrom;
Comment 1 Daniel Walsh 2008-10-24 08:42:25 EDT
Fixed in selinux-policy-3.5.13-7.fc10

Note You need to log in before you can comment on or make changes to this bug.